---
layout: docs
page_title: Events
description: >-
  Events allow Vault and plugins to exchange arbitrary activity data
  within Vault and with external subscribers via WebSockets.
---

# Events

@include 'alerts/beta.mdx'

Events are arbitrary, **non-secret** data that can be exchanged between producers (Vault and plugins)
and subscribers (Vault components and external users via the API).

## Event types

<!-- This information will probably be migrated to the plugin pages eventually -->

Internal components of Vault as well as external plugins can generate events.
These are published to "event types", sometimes called "topics" in some event systems.
All events of a specific event type will have the same format for their
additional `metadata` field.

The following events are currently generated by Vault and its builtin plugins automatically:

| Plugin | Event Type              | Metadata                                     | Vault version |
| ------ | ----------------------- | -------------------------------------------- | ------------- |
| kv     | `kv-v1/delete`          | `modified`, `operation`, `path`              | 1.13          |
| kv     | `kv-v1/write`           | `data_path`, `modified`, `operation`, `path` | 1.13          |
| kv     | `kv-v2/config-write`    | `data_path`, `modified`, `operation`, `path` | 1.13          |
| kv     | `kv-v2/data-delete`     | `modified`, `operation`, `path` | 1.13          |
| kv     | `kv-v2/data-patch`      | `data_path`, `modified`, `operation`, `path` | 1.13          |
| kv     | `kv-v2/data-write`      | `data_path`, `modified`, `operation`, `path` | 1.13          |
| kv     | `kv-v2/delete`          | `modified`, `operation`, `path` | 1.13          |
| kv     | `kv-v2/destroy`         | `modified`, `operation`, `path` | 1.13          |
| kv     | `kv-v2/metadata-delete` | `modified`, `operation`, `path` | 1.13          |
| kv     | `kv-v2/metadata-patch`  | `data_path`, `modified`, `operation`, `path` | 1.13          |
| kv     | `kv-v2/metadata-read`   | `data_path`, `modified`, `operation`, `path` | 1.13          |
| kv     | `kv-v2/metadata-write`  | `data_path`, `modified`, `operation`, `path` | 1.13          |
| kv     | `kv-v2/undelete`        | `data_path`, `modified`, `operation`, `path` | 1.13          |


## Event format

Events may be formatted in protobuf binary format or as JSON.
See `EventReceived` in [`sdk/logical/event.proto`](https://github.com/hashicorp/vault/blob/main/sdk/logical/event.proto) in the relevant Vault version for the protobuf schema.

When formatted as JSON, the event conforms to the [CloudEvents](https://cloudevents.io/) specification.

- `id` `(string)` - CloudEvents unique identifier for the event. The `id` is unique for each event, and events with the same `id` represent the same event.

- `source` `(string)` - CloudEvents source, which is currently `https://vaultproject.io`.

- `specversion` `(string)` - The CloudEvents specification version this conforms to.

- `type` `(string)` - CloudEvents type this event corresponds to, which is currently always `*`.

- ` datacontenttype` `(string)` - CloudEvents content type of the event, which is currently always `application/json`.

- `time` `(string)` - ISO 8601-formatted timestamp for when the event was generated.

- ` data` `(object)` - Vault-specific data.

  - `event` `(Event)` - contains the event that happened.

    - `id` `(string)` - (repeat of the `id` parameter)

    - `metadata` `(object)` - arbitrary extra data customized for the event type.

  - `event_type` `(string)` - the event type that was published.

  - `plugin_info` `(PluginInfo)` - information about the plugin that generated the event, if applicable.

    - `mount_class` `(string)` - the class of plugin, e.g., `secret`, `auth`.

    - `mount_accessor` `(string)` - the unique ID of the mounted plugin.

    - `mount_path` `(string)` - the path that the plugin is mounted at.

    - `plugin` `(string)` - the name of the plugin, e.g., `kv`.

Here is an example event in JSON format:

```json
{
  "id": "a3be9fb1-b514-519f-5b25-b6f144a8c1ce",
  "source": "https://vaultproject.io/",
  "specversion": "1.0",
  "type": "*",
  "data": {
    "event": {
      "id": "a3be9fb1-b514-519f-5b25-b6f144a8c1ce",
      "metadata": {
        "current_version": "1",
        "data_path": "secret/data/foo",
        "modified": "true",
        "oldest_version": "0",
        "operation": "data-write",
        "path": "secret/data/foo"
      }
    },
    "event_type": "kv-v2/data-write",
    "plugin_info": {
      "mount_class": "secret",
      "mount_accessor": "kv_5dc4d18e",
      "mount_path": "secret/",
      "plugin": "kv"
    }
  },
  "datacontentype": "application/cloudevents",
  "time": "2023-09-12T15:19:49.394915-07:00"
}
```

## Subscribing to events

Vault has an API endpoint, `/v1/sys/events/subscribe/{eventType}`, that allows users to subscribe to events via a
WebSocket stream.
This endpoint supports the standard authentication and authorization workflows used by other Vault endpoints.
The `{eventType}` parameter is a non-empty string of what event type to subscribe to, which may contain wildcards (`*`)
to subscribe to multiple events, e.g., `kv-v2/data-*`.

By default, the events are delivered in protobuf binary format.
The endpoint can also format the data as JSON if the `json` query parameter is set to `true`:

```shell-session
$ wscat -H "X-Vault-Token: $(vault print token)" --connect 'ws://127.0.0.1:8200/v1/sys/events/subscribe/kv-v2/data-write?json=true
{"id":"a3be9fb1-b514-519f-5b25-b6f144a8c1ce","source":"https://vaultproject.io/","specversion":"1.0","type":"*","data":{"event":{"id":"a3be9fb1-b514-519f-5b25-b6f144a8c1ce","metadata":{"current_version":"1","data_path":"secret/data/foo","modified":"true","oldest_version":"0","operation":"data-write","path":"secret/data/foo"}},"event_type":"kv-v2/data-write","plugin_info":{"mount_class":"secret","mount_accessor":"kv_5dc4d18e","mount_path":"secret/","plugin":"kv"}},"datacontentype":"application/cloudevents","time":"2023-09-12T15:19:49.394915-07:00"}
...
```

The Vault CLI support this endpoint via the `events subscribe` command, which will output a stream of
JSON for the requested events (one line per event):

```shell-session
$ vault events subscribe kv-v2/data-write
{"id":"a3be9fb1-b514-519f-5b25-b6f144a8c1ce","source":"https://vaultproject.io/","specversion":"1.0","type":"*","data":{"event":{"id":"a3be9fb1-b514-519f-5b25-b6f144a8c1ce","metadata":{"current_version":"1","data_path":"secret/data/foo","modified":"true","oldest_version":"0","operation":"data-write","path":"secret/data/foo"}},"event_type":"kv-v2/data-write","plugin_info":{"mount_class":"secret","mount_accessor":"kv_5dc4d18e","mount_path":"secret/","plugin":"kv"}},"datacontentype":"application/cloudevents","time":"2023-09-12T15:19:49.394915-07:00"}
...
```

## Policies

To subscribe to an event, you must have the following policy grants:

1. `read` capability on `/v1/sys/events/subscribe/{eventType}`, where `{eventType}` is the event type that will be
   subscribed to. The path may contain wildcards.

   An example blanket policy is:
   ```hcl
   path "sys/events/subscribe/*" {
       capabilities = ["read"]
   }
   ```

1. `list` and `subscribe` capabilities on the *path of the secret* for events
    related to secrets. The policy must also provide a `subscribe_event_types`
    entry with the specific events subscribers are allowed to use. For example,
    to receive events related to the KV secrets engine path,
     `secret/my-data`, a valid policy would be:

   ```hcl
   path "secret/my-data" {
     capabilities = ["list", "subscribe"]
     subscribe_event_types = ["*"]
   }
   ```

<Highlight title="Event payload for secrets is subject to change">
  If the policy for the path of the secret <strong>also</strong> contains
  the <code>read</code> capability, future versions of the events functionality may include the
  contents of the secret in the event payload.
</Highlight>

Vault continuously evaluates policies for WebSocket subscriptions and
caches the results for a short period of time to improve performance.
As a result, events **may** still be sent for a few minutes after a token is
revoked or a policy is deleted.

## Supported versions

Version | Support
------- | -------
<= 1.12 | Not supported
1.13    | Supported; **disabled** by default
1.14    | Supported; **disabled** by default
1.15+   | Supported; **enabled** by default

For versions where events are disabled by default, you can enable the
functionality with the `events.alpha1`
[experiment option](/vault/docs/configuration#experiments) in your Vault
configuration or from the command line with the `-experiments` flag. For example:

```shell-session
$ vault server -experiment events.alpha1
```